Innovation in Information Security

Around the Frayed Edge of PCI DSS

Following the breach of credit card processor, Heartland, there has been heated debate on both sides of the argument, as to the value of PCI and similar mechanisms for ensuring data safety (the new buzz word of the month being Data Loss Prevention) and system and network integrity. It doesn't really matter whether there is anything better available in the marketplace or not, PCI DSS has been seized upon as the 'best practice' which could lead to ostracisation (excommunication, maybe) if a business chooses not to follow it and still tries to carry out credit and debit card transaction handling.

It only takes a single hole to undo a well-constructed set of defences, but if so many companies are touting their compliance and adherence to the PCI DSS, and no fully accredited company has had a breach, what really happened with the Heartland and RBS Worldpay cases? Is it really security theatre as some would argue, or is it merely the latest sticking point for people who don't want to go through the process of auditing and assessment to get accredited? Are companies claiming that they are compliant, but aren't, in order to retain or attract customers who are aware of the existence of PCI?

Some of the most ardent advocates of PCI claim that, even if it were security theatre, then it has at least raised awareness of Information Security in general and still represents a great leap forward in that respect and helps force some basic best practices. The problem with this argument is that doing a really bad job at Information Security can be more dangerous than no effort at all.

Did Sarbannes-Oxley prevent the financial meltdown? Did the presence of HIPAA and SB1386 stop the growth of information breaches (it has to be admitted that SB1386 really set the standard for information disclosure reporting and helped formalise the current requirements that exist)? No, and no.

What would go a long way to helping assuage concerned observers would be complete transparency with reporting of breaches and the subsequent investigations. So you've had a breach and had to report it. The time for trying to save face has already passed, now it is important, if not essential, for complete and open honesty in order that others may learn from what happened to you (even if it is your mistake that led to the incident). Unfortunately, this will only happen in an ideal world - there is just too much at stake to expect people to be completely honest and open about what has happened or is happening. Besides, Denial is one of the stages of grief and a major security incident does attract a grief-like response.

This is an area where the direct involvement of an Information Security professional is really what is needed, but it also seems to be the least likely to actually happen within the organisations that need it the most. Good security practices and awareness, even without the software and hardware elements to back them up are better than all the software, hardware, and industry best practices that are only backed by a laissez faire attitude.

Just a little something to think about the next time you sit down to consider your Information Security needs and compliance to industry standards.